DNSSEC meets real world: dealing with unreachability caused by fragmentation

Gijs van den Broek, Roland van Rijswijk-Deij, Roland M. van Rijswijk, Anna Sperotto, Aiko Pras

Research output: Contribution to journalArticle

  • 7 Citations

Abstract

The Domain Name System (DNS) provides a critical service on the Internet: translating host names into IP addresses. Traditional DNS does not provide guarantees about authenticity and origin integrity. DNSSEC, an extension to DNS, improves this by using cryptographic signatures, at the expense of larger response messages. Some of these larger response messages experience fragmentation, and may, as a result of that, be blocked by firewalls. As a consequence, resolvers behind such firewalls will no longer receive complete responses from name servers, leading to certain Internet zones becoming unreachable because no translation into IP addresses can be performed. Our research shows that despite ongoing efforts to educate firewall and resolver administrators, as much as 10% of all resolvers suffer from fragmentation-related connectivity issues. Given that some major Internet companies were reluctant to adopt even a technology like IPv6 if it meant that a small percentage of their users would have connectivity issues, it is clear that we cannot rely on resolver/firewall operators alone to tackle this issue. The contribution of this paper is that it a) quantifies the severity of these DNSSEC deployment problems, based on extensive measurements at a major National Research and Education Network (NREN) and backed up by validation of these findings at an independent second location, b) proposes two potential solutions at the DNS authoritative name server side, and c) validates both solutions, again based on extensive measurements on the operational network of this major NREN. The paper concludes with a recommendation favoring our first solution. The first solution is relatively simple to implement and gives DNS zone operators control over this problem without having to rely on all resolver operators solving the issue.
LanguageUndefined
Pages154-160
Number of pages7
JournalIEEE communications magazine
Volume52
Issue number4
DOIs
StatePublished - Apr 2014

Keywords

  • EWI-24758
  • IR-91458
  • METIS-305889

Cite this

@article{ffbecebc0e0e4dc3b8cfac6a0614b47e,
title = "DNSSEC meets real world: dealing with unreachability caused by fragmentation",
abstract = "The Domain Name System (DNS) provides a critical service on the Internet: translating host names into IP addresses. Traditional DNS does not provide guarantees about authenticity and origin integrity. DNSSEC, an extension to DNS, improves this by using cryptographic signatures, at the expense of larger response messages. Some of these larger response messages experience fragmentation, and may, as a result of that, be blocked by firewalls. As a consequence, resolvers behind such firewalls will no longer receive complete responses from name servers, leading to certain Internet zones becoming unreachable because no translation into IP addresses can be performed. Our research shows that despite ongoing efforts to educate firewall and resolver administrators, as much as 10{\%} of all resolvers suffer from fragmentation-related connectivity issues. Given that some major Internet companies were reluctant to adopt even a technology like IPv6 if it meant that a small percentage of their users would have connectivity issues, it is clear that we cannot rely on resolver/firewall operators alone to tackle this issue. The contribution of this paper is that it a) quantifies the severity of these DNSSEC deployment problems, based on extensive measurements at a major National Research and Education Network (NREN) and backed up by validation of these findings at an independent second location, b) proposes two potential solutions at the DNS authoritative name server side, and c) validates both solutions, again based on extensive measurements on the operational network of this major NREN. The paper concludes with a recommendation favoring our first solution. The first solution is relatively simple to implement and gives DNS zone operators control over this problem without having to rely on all resolver operators solving the issue.",
keywords = "EWI-24758, IR-91458, METIS-305889",
author = "{van den Broek}, Gijs and {van Rijswijk-Deij}, Roland and {van Rijswijk}, {Roland M.} and Anna Sperotto and Aiko Pras",
note = "eemcs-eprint-24758",
year = "2014",
month = "4",
doi = "10.1109/MCOM.2014.6828880",
language = "Undefined",
volume = "52",
pages = "154--160",
journal = "IEEE communications magazine",
issn = "0163-6804",
publisher = "Institute of Electrical and Electronics Engineers Inc.",
number = "4",

}

DNSSEC meets real world: dealing with unreachability caused by fragmentation. / van den Broek, Gijs; van Rijswijk-Deij, Roland; van Rijswijk, Roland M.; Sperotto, Anna; Pras, Aiko.

In: IEEE communications magazine, Vol. 52, No. 4, 04.2014, p. 154-160.

Research output: Contribution to journalArticle

TY - JOUR

T1 - DNSSEC meets real world: dealing with unreachability caused by fragmentation

AU - van den Broek,Gijs

AU - van Rijswijk-Deij,Roland

AU - van Rijswijk,Roland M.

AU - Sperotto,Anna

AU - Pras,Aiko

N1 - eemcs-eprint-24758

PY - 2014/4

Y1 - 2014/4

N2 - The Domain Name System (DNS) provides a critical service on the Internet: translating host names into IP addresses. Traditional DNS does not provide guarantees about authenticity and origin integrity. DNSSEC, an extension to DNS, improves this by using cryptographic signatures, at the expense of larger response messages. Some of these larger response messages experience fragmentation, and may, as a result of that, be blocked by firewalls. As a consequence, resolvers behind such firewalls will no longer receive complete responses from name servers, leading to certain Internet zones becoming unreachable because no translation into IP addresses can be performed. Our research shows that despite ongoing efforts to educate firewall and resolver administrators, as much as 10% of all resolvers suffer from fragmentation-related connectivity issues. Given that some major Internet companies were reluctant to adopt even a technology like IPv6 if it meant that a small percentage of their users would have connectivity issues, it is clear that we cannot rely on resolver/firewall operators alone to tackle this issue. The contribution of this paper is that it a) quantifies the severity of these DNSSEC deployment problems, based on extensive measurements at a major National Research and Education Network (NREN) and backed up by validation of these findings at an independent second location, b) proposes two potential solutions at the DNS authoritative name server side, and c) validates both solutions, again based on extensive measurements on the operational network of this major NREN. The paper concludes with a recommendation favoring our first solution. The first solution is relatively simple to implement and gives DNS zone operators control over this problem without having to rely on all resolver operators solving the issue.

AB - The Domain Name System (DNS) provides a critical service on the Internet: translating host names into IP addresses. Traditional DNS does not provide guarantees about authenticity and origin integrity. DNSSEC, an extension to DNS, improves this by using cryptographic signatures, at the expense of larger response messages. Some of these larger response messages experience fragmentation, and may, as a result of that, be blocked by firewalls. As a consequence, resolvers behind such firewalls will no longer receive complete responses from name servers, leading to certain Internet zones becoming unreachable because no translation into IP addresses can be performed. Our research shows that despite ongoing efforts to educate firewall and resolver administrators, as much as 10% of all resolvers suffer from fragmentation-related connectivity issues. Given that some major Internet companies were reluctant to adopt even a technology like IPv6 if it meant that a small percentage of their users would have connectivity issues, it is clear that we cannot rely on resolver/firewall operators alone to tackle this issue. The contribution of this paper is that it a) quantifies the severity of these DNSSEC deployment problems, based on extensive measurements at a major National Research and Education Network (NREN) and backed up by validation of these findings at an independent second location, b) proposes two potential solutions at the DNS authoritative name server side, and c) validates both solutions, again based on extensive measurements on the operational network of this major NREN. The paper concludes with a recommendation favoring our first solution. The first solution is relatively simple to implement and gives DNS zone operators control over this problem without having to rely on all resolver operators solving the issue.

KW - EWI-24758

KW - IR-91458

KW - METIS-305889

U2 - 10.1109/MCOM.2014.6828880

DO - 10.1109/MCOM.2014.6828880

M3 - Article

VL - 52

SP - 154

EP - 160

JO - IEEE communications magazine

T2 - IEEE communications magazine

JF - IEEE communications magazine

SN - 0163-6804

IS - 4

ER -